Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    uRPF - Need to Permit Asymmetric Flow via GRE/IPSec

    Scheduled Pinned Locked Moved
    Firewalling
    rpfilter asymmetric urpf gre ipsec
    1
    1
    411
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffh
      last edited by

      Hello,

      I've seen a number of posts about uRPF, rp_filter, and anti-spoofing protection, but none have any responses that address how to handle observed behavior.

      I am working with a pfSense firewall that is being used with GRE and IPsec tunnels to connect to a cloud service provider.

      It's up to the customer which they want to use - GRE or IPSec.

      The provider uses ICMP probes to perform health checks of the tunnels - the health checks are the same irrespective of whether the tunnel is GRE or IPSec.

      The path the health checks take effectively results in a asymmetric route and uRPF/anti-spoofing protection will break the checks.

      The path is as follows:

      1. They send an ICMP reply probe *** from the inside their cloud
      2. The ICMP reply probe is encapsulated (GRE or IPsec) as it enters the tunnel
      3. Pfsense receives the probe inside the tunnel which lands on a virtual tunnel interface
      4. Pfsense de-encapsulates the probe and forwards the packet to the destination IP - the return path egresses the Internet interface and travels across the commodity Internet on its way back to the cloud provider

      Since the ICMP probes ingress a Virtual Tunnel Interface and egress through a physical interface, uRPF/rp_filter does not like this and drops the packet before it even starts making its way back to the cloud provider.

      Is there any way to disable uRPF/rp_filter and/or configure a security rule that would allow this?

      Thank you for your time,

      -JeffH

      1 Reply Last reply Reply Quote 0
      • First post
        Last post